lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: 22 Dec 2004 10:03:44 -0000
From: James Bandara <jamez1@...il.com>
To: bugtraq@...urityfocus.com
Subject: Security Advisory for ALL forum services with client-set images




Hi,
Many widely used Bullitien Board Services and Forum Services allow for Clients to set images such as avatars and in their signature/post.

Images work by the clients browser going to that address, like it would for a normal web page except after downloading the file, it tries to open it as an image.

Many of these services if not all have command functions like delete a thread in the form of a hyperlink.

A user could copy one of these links to delete his own thread, edit it so the querystring is for another users post, and post it up as a link or avatar.

In effect if an admin sees the image or the original user sees it, it will instantly delete the post as its on the same site no extra login is needed.

To block this I suggest you edit your service to only accept links that end in image formats for images before the querystring.

I have tested this many times on a modified version of webwiz forums, yet delete is about the only thing that works.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ